Skip to main content

OSCW 2026 - William Woodruff - Trusted Publishing and Attestations on PyPI, Three Years In

Video Item Preview

movies

OSCW 2026 - William Woodruff - Trusted Publishing and Attestations on PyPI, Three Years In

by
William Woodruff (he/him)

Publication date
Usage
Attribution-NonCommercial-NoDerivs 4.0 InternationalCreative Commons Licensebyncnd
Topics
oscw2026, oscw, opensourcecryptoworkshop, python, pypi, attestations, digital signatures
Language
English
Item Size
1.7G

Three years ago, PyPI began an initiative to build a more secure, lasting foundation for both publishing and signing Python packages. This initiative yielded two techniques, both built on public key cryptography: Trusted Publishing, which uses OpenID Connect to establish misuse-resistant credentials between PyPI and CI/CD systems, and Attestations, which uses machine identities and Sigstore to provide zero-setup package signing by default.

This talk offers a three year retrospective on that initiative: where it’s gone well, where it’s gone poorly, what other ecosystems have gleaned from Python/PyPI’s experience, and what the future holds for signature and transparency techniques in Open Source packaging.

NOTE: At some points this video blanks briefly to a white screen to obscure attendees with red lanyards who did not consent to being recorded.

Addeddate
2026-04-11 05:58:24
Color
color
Identifier
oscw-2026-william-woodruff-trusted-publishing-and-attestations-on-pypi-three-years-in
Scanner
Internet Archive HTML5 Uploader 1.7.0
Sound
sound


comment
Reviews

0 Views

DOWNLOAD OPTIONS

download 1 file
H.264 IA download
download 1 file
ITEM TILE download
download 1 file
MPEG4 download
download 1 file
TORRENT download
download 35 Files
download 6 Original
SHOW ALL

IN COLLECTIONS

Community Video

Uploaded by opensourcecryptoworkshop on

SIMILAR ITEMS (based on metadata)

Terms of Service (last updated 12/31/2014)